Date: Wed, 8 Feb 2012 13:28:36 +0100 From: Patrick Proniewski <patpro@patpro.net> To: Liste FreeBSD-security <freebsd-security@freebsd.org> Subject: zfs noexec override, sort of. Message-ID: <277F2E3F-AB7F-491A-ABB5-9178B0AC44BB@patpro.net>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-348-357081921 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, Not sure if it's a real security issue, or if it's a feature. ZFS allows the admin to create noexec volumes, so that users won't be = able to execute binaries sitting on these volume. But as soon as one of = these binaries is available on a snapshot, it becomes available for the = user to execute: # zfs create tank/test-exec # ls test-exec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local # cp /bin/ls /tank/test-exec/ # /tank/test-exec/ls bash: /tank/test-exec/ls: Permission denied # zfs snapshot tank/test-exec@noexec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec off inherited from tank/test-exec # /tank/test-exec/.zfs/snapshot/noexec/ls test-exec Once the snapshot is accessed, it's mounted automatically, and gets back = an exec=3Don property: # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec on temporary So it makes it very easy for a user to install and use binaries on a = shared server where (for example) every home is a ZFS volume with daily = snapshots. regards, patpro --Apple-Mail-348-357081921--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?277F2E3F-AB7F-491A-ABB5-9178B0AC44BB>